ermajn Posted November 21, 2008 Share Posted November 21, 2008 Hi, I'm planing to implement some kind of sandbox. Point will be to prevent: - calling of functions which are not on the approved list - opening of system files or files from the internet (like file_get_contents('/etc/passwd.'), or file_get_contents('/www/controll.php') ) - any kind of metaprogramming ($foo->$bar; Foo::$bar, new $foo, $$bar, $foo(), etc...) - using ini_set(), set_time_limit(), etc. Does something similar exist out there, I have try to search, but nothing is found. And... if not, what would you suggest for begin? Maybe token_get_all() ? Thanks Quote Link to comment Share on other sites More sharing options...
MasterACE14 Posted November 21, 2008 Share Posted November 21, 2008 there are some out there. Take a look at the Eval Function Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted November 21, 2008 Share Posted November 21, 2008 what would you suggest What exactly are you trying to accomplish? What is your application doing such that you would need to do this? The more specific your question is, the more specific the answer can be. Quote Link to comment Share on other sites More sharing options...
ermajn Posted November 21, 2008 Author Share Posted November 21, 2008 what would you suggest What exactly are you trying to accomplish? What is your application doing such that you would need to do this? The more specific your question is, the more specific the answer can be. This is not specific enough? - calling of functions which are not on the approved list - opening of system files or files from the internet (like file_get_contents('/etc/passwd.'), or file_get_contents('/www/controll.php') ) - any kind of metaprogramming ($foo->$bar; Foo::$bar, new $foo, $$bar, $foo(), etc...) - using ini_set(), set_time_limit(), etc. Quote Link to comment Share on other sites More sharing options...
ermajn Posted November 21, 2008 Author Share Posted November 21, 2008 there are some out there. Take a look at the Eval Function eval() evaluate php code. This can be useful, but it is not something that do things like preventing to opet files that is not in whitelist. I was asking, is there something that do exact thing... but I'm guess that I must write it from scratch Quote Link to comment Share on other sites More sharing options...
MasterACE14 Posted November 21, 2008 Share Posted November 21, 2008 you can run your checks first, before evaluating the end result of the code. Put the whitelisted functions in a text file, and in your sandbox, you can use a function via a text box or somethnig, then run a check of that function against the whitelisted functions text file, if it is in the white list, then eval() the code/function. Quote Link to comment Share on other sites More sharing options...
ermajn Posted November 21, 2008 Author Share Posted November 21, 2008 you can run your checks first, before evaluating the end result of the code. Put the whitelisted functions in a text file, and in your sandbox, you can use a function via a text box or somethnig, then run a check of that function against the whitelisted functions text file, if it is in the white list, then eval() the code/function. Thanks a lot for suggestion. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted November 21, 2008 Share Posted November 21, 2008 There may in fact be an existing script that does what you want, but you would need to provide information (keywords) on what your application is trying to accomplish in order for anyone to specifically help. An existing script would be known by the overall goal it performs, not by a list of features it contains. Quote Link to comment Share on other sites More sharing options...
ShiloVir Posted November 21, 2008 Share Posted November 21, 2008 is this what your tying to aclomplish?: <?php function phpcode($str, $type) { switch ($type) { case "text": $str = highlight_string($str, true); break; case "file": $str = highlight_file($str, true); break; } $str = explode("<br />", $str); echo "<code><div>"; echo "<ol>\n"; foreach ($str as $line => $syntax) { echo "<li>" . $syntax . "</li>"; } echo "</ol>\n"; echo "</div>"; echo "</code>"; } ?> Then call your file from either a Textbox and echo it like this: <?php phpcode($_POST['sandbox'], "text"); ?> or you can call it from a .txt file and echo it like this: <?php phpcode("code/example1.txt", "file"); ?> Quote Link to comment Share on other sites More sharing options...
ermajn Posted November 21, 2008 Author Share Posted November 21, 2008 Khm... yes, but in parts when you highlight content of file, I want to check is there any function that is on blacklist, or is there any file_get_contents trying to open file from blacklist. I want to do that with token_get_all(), for now, I did not find any better solution. Thanks Quote Link to comment Share on other sites More sharing options...
nadeemshafi9 Posted November 21, 2008 Share Posted November 21, 2008 Khm... yes, but in parts when you highlight content of file, I want to check is there any function that is on blacklist, or is there any file_get_contents trying to open file from blacklist. I want to do that with token_get_all(), for now, I did not find any better solution. Thanks regular expressions m8 check for them Quote Link to comment Share on other sites More sharing options...
ermajn Posted November 21, 2008 Author Share Posted November 21, 2008 heh, somebody know how to get content of php script in string. get_file_content won't return anything.. $str = "test.php"; if ( file_exists( $str ) ) { $content = file_get_contents($str); echo $content; } esle { print "there is no file"; } Content of test.php is <?php echo "blah blah"; ?> Quote Link to comment Share on other sites More sharing options...
ermajn Posted November 21, 2008 Author Share Posted November 21, 2008 heh, somebody know how to get content of php script in string. get_file_content won't return anything.. $str = "test.php"; if ( file_exists( $str ) ) { $content = file_get_contents($str); echo $content; } esle { print "there is no file"; } Content of test.php is <?php echo "blah blah"; ?> Solved this! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.